← Back to feed
2026-05-21 Supply Chain TLP:AMBER

CVE-2026-42208: LiteLLM SQL Injection Under Active Exploitation Within 36 Hours—Unauthenticated Pre-Auth Credential Database Access via Authorization Header Injection

Date: 2026-05-21
Tags: supply-chain

Executive Summary

CVE-2026-42208 (CVSS score: 9.3) is an SQL injection that could be exploited to modify the LiteLLM proxy database; a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. The first exploitation attempt was recorded on April 26 at 16:17 UTC, roughly 26 hours and seven minutes after the GitHub advisory was indexed in the global GitHub Advisory Database, but this result is from May 14 publication window citing active May exploitation.

Campaign Summary

FieldDetail
Campaign / MalwareLiteLLM CVE-2026-42208 Exploitation Campaign
AttributionUnknown (automated exploitation) (confidence: low)
TargetOrganizations deploying LiteLLM proxy for centralized LLM credential and API management
VectorHTTP Authorization header SQL injection to proxy database
Statusactive
First Observed2026-04-26 (first exploitation); advisory published 2026-04-20

Detailed Findings

An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example, POST /chat/completions) and reach this query through the proxy's error-handling path; an attacker could read data from the proxy's database and may be able to modify it, leading to unauthorized access to the proxy and the credentials it manages. The vulnerability continues the modal pattern for AI-infrastructure advisories: critical, pre-auth, and in software with five-figure star counts that operators trust to centralize cloud-grade credentials; the 36-hour exploit window is consistent with the broader collapse documented by the Zero Day Clock, and the operator behavior (verbatim Prisma table names, three-table targeting, deliberate column-count enumeration) shows that exploitation no longer waits for a public PoC. The call happens before authentication (auth) is decided, so the injection is fully pre-auth: any HTTP client that can reach the proxy port is sufficient.

MITRE ATT&CK Mapping

TechniqueIDContext
SQL InjectionT1190Exploitation of unsanitized SQL query in LiteLLM API key verification
Credential AccessT1110Extraction of LLM provider API keys and cloud credentials from compromised database
Data ExfiltrationT1041Exfiltration of LLM API credentials enabling unauthorized model access

IOCs

Domains

_CVE-2026-42208 GHSA-r75f-5x8p-qvmc; exploitation signatures and working PoCs available in security research community._

Full URL Paths

https://docs.litellm.ai/blog/security-update-march-2026
https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html

Splunk Format

"https://docs.litellm.ai/blog/security-update-march-2026" OR "https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html"

Package Indicators

litellm

Detection Recommendations

Upgrade LiteLLM to version 1.83.7-stable or later immediately; if running earlier versions, implement network segmentation to restrict proxy port access to trusted clients only; monitor for Authorization header patterns containing SQL metacharacters or repeated quote characters in logs; detect anomalous database queries targeting API key tables (litellm_proxy_keys, user_api_keys, or similar); enable SQL query parameterization logging; set up alerts on pre-auth error-path database access; audit all proxy database access logs for unauthorized reads/writes since April 20, 2026; rotate all LLM API credentials managed by affected proxy instances; deploy WAF rules blocking SQL injection patterns in Authorization headers.

References